May 2005

ID: 00416
Ref: 385/2005
Date: 16 May 2005:15:47:23
Version: 1

---

Title: Malicious Software Report - New W32.Sober Payload
Abstract: UNIRAS are receiving reports of large quantities of unsolicited e-mails that include links to web pages that in some cases contain German right-wing material. These pages do not appear to contain malicious software.

---

Title
=====
Malicious Software Report - New W32.Sober Payload

Detail
======

UNIRAS are receiving reports of large quantities of unsolicited e-mails that
include links to web pages that in some cases contain German right-wing material.
These pages do not appear to contain malicious software.

It has been suggested that the e-mails are being sent from computers that have
been infected with a recent variant of the W32.Sober e-mail virus. It is probable
that this mass mailing behaviour is due to a new payload being added to infected
systems.

If you use spam filters you may wish to ensure that they are setup to filter these
messages. The following URLs may also be of assistance:


F-SECURE: SOBER-Q
"Sober.Q was found on May 14th, 2005. This Sober variant doesn't spread itself in
e-mails. Instead, it mass-mails political statements. Sober.Q is installed to
computers infected by Sober.P."
http://www.f-secure.com/v-descs/sober_q.shtml

INTERNET STORM CENTRE
"It would appear that this may be related to the Sober.Q virus"
"Sober.G last June also had an element of spamming associated with it"
http://isc.sans.org/diary.php?date=2005-05-15

TREND MICRO: WORM_SOBER.U
"This worm is downloaded and executed by WORM_SOBER.S from specific Web sites.
It uses its own SMTP (Simple Mail Transfer Protocol) engine to send messages to
all email addresses it obtains from files with certain extensions. However, it
avoids sending messages to email addresses that contain particular strings."
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FSOBER%2EU